Privacy Policy
Last Updated: November 21, 2025
Your Privacy Matters: This Privacy Policy explains how we collect, use, protect, and handle your information when you use the Fastag Management System.
1. Information We Collect
1.1 Account Information
- Username and password (encrypted)
- Email address (if provided during registration)
- User role and permissions
1.2 Vehicle and FASTag Data
- Vehicle registration numbers
- FASTag IDs and related information
- Transaction records and access logs
- KYC user information (name, contact, address)
1.3 Usage Data
- Login timestamps and IP addresses
- Actions performed within the system (audit logs)
- System performance and error logs
1.4 OAuth and Third-Party Authentication
- OAuth tokens for Google Drive integration (encrypted)
- Google account email (only when using Google Drive backup)
- We do NOT store your Google password
2. How We Use Your Information
We use collected information for:
- Service Operation: Managing FASTag operations, user access, and vehicle tracking
- Backups: Creating and storing database backups (locally and to Google Drive if configured)
- Security: Authentication, authorization, and audit logging
- System Improvement: Analyzing usage patterns to improve functionality
- Troubleshooting: Debugging errors and resolving technical issues
3. Google Drive Integration
When you enable Google Drive backup:
3.1 What We Access
- We request access to your Google Drive for backup storage only
- We use OAuth 2.0 for secure authentication
- We store OAuth tokens locally on the server (encrypted)
- We create, read, and delete backup files in your Google Drive
3.2 What We DON'T Access
- We do NOT access your Gmail, Calendar, or other Google services
- We do NOT read or modify your personal files (only backup files we create)
- We do NOT share your Google data with third parties
- We do NOT store your Google password
3.3 Token Storage and Security
- OAuth tokens are stored in encrypted format
- Tokens are stored with restricted file permissions (600 - owner only)
- Tokens automatically refresh and never expire (unless you revoke access)
- You can revoke access at any time via Google Account settings or within our application
4. Data Storage and Security
4.1 Local Storage
- Data is stored in an SQLite database on the server
- Database files are protected with appropriate file system permissions
- Passwords are hashed using industry-standard algorithms
- Sensitive data is encrypted at rest
4.2 Backup Storage
- Local backups are stored in the instance/backups directory
- Google Drive backups are stored in your Google Drive (you control the folder)
- Backups contain complete database dumps (all user data)
- Old backups are automatically deleted based on retention policies
4.3 Security Measures
- HTTPS encryption for all data transmission (recommended)
- Session management with secure cookies (HttpOnly, SameSite)
- Regular security audits and updates
- Access control and role-based permissions
- Audit logging of all critical actions
5. Data Sharing and Disclosure
We do NOT sell, trade, or rent your personal information to third parties.
5.1 When We May Share Data
- With Your Consent: When you explicitly authorize data sharing
- Google Drive: Only when you enable backup integration
- Legal Requirements: If required by law or legal process
- Service Providers: Only if necessary for service operation (with strict confidentiality agreements)
6. Data Retention
- User Accounts: Retained until account deletion
- Transaction Logs: Retained per business requirements
- Audit Logs: Retained for security and compliance
- Backups: Retained based on configured retention policy (default 30 days)
- OAuth Tokens: Retained until revoked by user
7. Your Rights
You have the right to:
- Access: View your personal information stored in the system
- Correction: Request corrections to inaccurate data
- Deletion: Request deletion of your account and data
- Revocation: Revoke OAuth permissions at any time
- Export: Request a copy of your data
- Opt-out: Disable optional features like Google Drive backup
8. Cookies and Session Management
- We use session cookies for authentication
- Session cookies expire after 30 days of inactivity
- Cookies are marked as HttpOnly and SameSite for security
- No third-party tracking cookies are used
9. Children's Privacy
This Service is intended for business use and not directed to children under 13. We do not knowingly collect information from children.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes by updating the "Last Updated" date. Continued use of the Service after changes constitutes acceptance.
11. Third-Party Services
This Service integrates with:
- Google Drive API: For backup storage (subject to Google's Privacy Policy)
- Google OAuth 2.0: For authentication (subject to Google's Privacy Policy)
We recommend reviewing Google's Privacy Policy for information about how Google handles your data.
12. Data Breach Notification
In the event of a data breach that affects your personal information, we will notify affected users promptly and take appropriate measures to mitigate the impact.
13. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or your personal data:
- Contact your system administrator
- Use the contact information provided in your service agreement
14. Compliance
This Privacy Policy is designed to comply with applicable data protection laws. If you have concerns about our privacy practices, please contact us.